]> git.saurik.com Git - apple/xnu.git/blame_incremental - bsd/kern/kern_authorization.c
projects / apple / xnu.git / blame_incremental
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (non-incremental) | history | HEAD
xnu-7195.101.1.tar.gz
[apple/xnu.git] / bsd / kern / kern_authorization.c
... / ...
CommitLineData
1/*
2 * Copyright (c) 2004-2016 Apple Inc. All rights reserved.
3 *
4 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. The rights granted to you under the License
10 * may not be used to create, or enable the creation or redistribution of,
11 * unlawful or unlicensed copies of an Apple operating system, or to
12 * circumvent, violate, or enable the circumvention or violation of, any
13 * terms of an Apple operating system software license agreement.
14 *
15 * Please obtain a copy of the License at
16 * http://www.opensource.apple.com/apsl/ and read it before using this file.
17 *
18 * The Original Code and all software distributed under the License are
19 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
20 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
21 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
22 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
23 * Please see the License for the specific language governing rights and
24 * limitations under the License.
25 *
26 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
27 */
28
29/*
30 * Centralized authorisation framework.
31 */
32
33#include <sys/appleapiopts.h>
34#include <sys/param.h> /* XXX trim includes */
35#include <sys/acct.h>
36#include <sys/systm.h>
37#include <sys/ucred.h>
38#include <sys/proc_internal.h>
39#include <sys/timeb.h>
40#include <sys/times.h>
41#include <sys/malloc.h>
42#include <sys/vnode_internal.h>
43#include <sys/kauth.h>
44#include <sys/stat.h>
45
46#include <security/audit/audit.h>
47
48#include <sys/mount.h>
49#include <sys/sysproto.h>
50#include <mach/message.h>
51#include <mach/host_security.h>
52
53#include <kern/locks.h>
54
55
56/*
57 * Authorization scopes.
58 */
59
60LCK_GRP_DECLARE(kauth_lck_grp, "kauth");
61static LCK_MTX_DECLARE(kauth_scope_mtx, &kauth_lck_grp);
62#define KAUTH_SCOPELOCK() lck_mtx_lock(&kauth_scope_mtx);
63#define KAUTH_SCOPEUNLOCK() lck_mtx_unlock(&kauth_scope_mtx);
64
65/*
66 * We support listeners for scopes that have not been registered yet.
67 * If a listener comes in for a scope that is not active we hang the listener
68 * off our kauth_dangling_listeners list and once the scope becomes active we
69 * remove it from kauth_dangling_listeners and add it to the active scope.
70 */
71struct kauth_listener {
72 TAILQ_ENTRY(kauth_listener) kl_link;
73 const char * kl_identifier;
74 kauth_scope_callback_t kl_callback;
75 void * kl_idata;
76};
77
78/* XXX - kauth_todo - there is a race if a scope listener is removed while we
79 * we are in the kauth_authorize_action code path. We intentionally do not take
80 * a scope lock in order to get the best possible performance. we will fix this
81 * post Tiger.
82 * Until the race is fixed our kext clients are responsible for all active
83 * requests that may be in their callback code or on the way to their callback
84 * code before they free kauth_listener.kl_callback or kauth_listener.kl_idata.
85 * We keep copies of these in our kauth_local_listener in an attempt to limit
86 * our expose to unlisten race.
87 */
88struct kauth_local_listener {
89 kauth_listener_t kll_listenerp;
90 kauth_scope_callback_t kll_callback;
91 void * kll_idata;
92};
93typedef struct kauth_local_listener *kauth_local_listener_t;
94
95static TAILQ_HEAD(, kauth_listener) kauth_dangling_listeners =
96 TAILQ_HEAD_INITIALIZER(kauth_dangling_listeners);
97
98/*
99 * Scope listeners need to be reworked to be dynamic.
100 * We intentionally used a static table to avoid locking issues with linked
101 * lists. The listeners may be called quite often.
102 * XXX - kauth_todo
103 */
104#define KAUTH_SCOPE_MAX_LISTENERS 15
105
106struct kauth_scope {
107 TAILQ_ENTRY(kauth_scope) ks_link;
108 volatile struct kauth_local_listener ks_listeners[KAUTH_SCOPE_MAX_LISTENERS];
109 const char * ks_identifier;
110 kauth_scope_callback_t ks_callback;
111 void * ks_idata;
112 u_int ks_flags;
113};
114
115/* values for kauth_scope.ks_flags */
116#define KS_F_HAS_LISTENERS (1 << 0)
117
118static TAILQ_HEAD(, kauth_scope) kauth_scopes = TAILQ_HEAD_INITIALIZER(kauth_scopes);
119
120static int kauth_add_callback_to_scope(kauth_scope_t sp, kauth_listener_t klp);
121static void kauth_scope_init(void);
122static kauth_scope_t kauth_alloc_scope(const char *identifier, kauth_scope_callback_t callback, void *idata);
123static kauth_listener_t kauth_alloc_listener(const char *identifier, kauth_scope_callback_t callback, void *idata);
124#if 0
125static int kauth_scope_valid(kauth_scope_t scope);
126#endif
127
128kauth_scope_t kauth_scope_process;
129static int kauth_authorize_process_callback(kauth_cred_t _credential, void *_idata, kauth_action_t _action,
130 uintptr_t arg0, uintptr_t arg1, __unused uintptr_t arg2, __unused uintptr_t arg3);
131kauth_scope_t kauth_scope_generic;
132static int kauth_authorize_generic_callback(kauth_cred_t _credential, void *_idata, kauth_action_t _action,
133 uintptr_t arg0, uintptr_t arg1, uintptr_t arg2, uintptr_t arg3);
134kauth_scope_t kauth_scope_fileop;
135
136extern int cansignal(struct proc *, kauth_cred_t, struct proc *, int);
137extern char * get_pathbuff(void);
138extern void release_pathbuff(char *path);
139
140/*
141 * Initialization.
142 */
143void
144kauth_init(void)
145{
146 /* bring up kauth subsystem components */
147 kauth_cred_init();
148 kauth_scope_init();
149}
150
151static void
152kauth_scope_init(void)
153{
154 kauth_scope_process = kauth_register_scope(KAUTH_SCOPE_PROCESS, kauth_authorize_process_callback, NULL);
155 kauth_scope_generic = kauth_register_scope(KAUTH_SCOPE_GENERIC, kauth_authorize_generic_callback, NULL);
156 kauth_scope_fileop = kauth_register_scope(KAUTH_SCOPE_FILEOP, NULL, NULL);
157}
158
159/*
160 * Scope registration.
161 */
162
163static kauth_scope_t
164kauth_alloc_scope(const char *identifier, kauth_scope_callback_t callback, void *idata)
165{
166 kauth_scope_t sp;
167
168 /*
169 * Allocate and populate the scope structure.
170 */
171 sp = kheap_alloc(KM_KAUTH, sizeof(*sp), Z_WAITOK | Z_ZERO);
172 if (sp == NULL) {
173 return NULL;
174 }
175 sp->ks_flags = 0;
176 sp->ks_identifier = identifier;
177 sp->ks_idata = idata;
178 sp->ks_callback = callback;
179 return sp;
180}
181
182static kauth_listener_t
183kauth_alloc_listener(const char *identifier, kauth_scope_callback_t callback, void *idata)
184{
185 kauth_listener_t lsp;
186
187 /*
188 * Allocate and populate the listener structure.
189 */
190 lsp = kheap_alloc(KM_KAUTH, sizeof(*lsp), Z_WAITOK);
191 if (lsp == NULL) {
192 return NULL;
193 }
194 lsp->kl_identifier = identifier;
195 lsp->kl_idata = idata;
196 lsp->kl_callback = callback;
197 return lsp;
198}
199
200kauth_scope_t
201kauth_register_scope(const char *identifier, kauth_scope_callback_t callback, void *idata)
202{
203 kauth_scope_t sp, tsp;
204 kauth_listener_t klp;
205
206 if ((sp = kauth_alloc_scope(identifier, callback, idata)) == NULL) {
207 return NULL;
208 }
209
210 /*
211 * Lock the list and insert.
212 */
213 KAUTH_SCOPELOCK();
214 TAILQ_FOREACH(tsp, &kauth_scopes, ks_link) {
215 /* duplicate! */
216 if (strncmp(tsp->ks_identifier, identifier,
217 strlen(tsp->ks_identifier) + 1) == 0) {
218 KAUTH_SCOPEUNLOCK();
219 kheap_free(KM_KAUTH, sp, sizeof(struct kauth_scope));
220 return NULL;
221 }
222 }
223 TAILQ_INSERT_TAIL(&kauth_scopes, sp, ks_link);
224
225 /*
226 * Look for listeners waiting for this scope, move them to the active scope
227 * listener table.
228 * Note that we have to restart the scan every time we remove an entry
229 * from the list, since we can't remove the current item from the list.
230 */
231restart:
232 TAILQ_FOREACH(klp, &kauth_dangling_listeners, kl_link) {
233 if (strncmp(klp->kl_identifier, sp->ks_identifier,
234 strlen(klp->kl_identifier) + 1) == 0) {
235 /* found a match on the dangling listener list. add it to the
236 * the active scope.
237 */
238 if (kauth_add_callback_to_scope(sp, klp) == 0) {
239 TAILQ_REMOVE(&kauth_dangling_listeners, klp, kl_link);
240 } else {
241#if 0
242 printf("%s - failed to add listener to scope \"%s\" \n", __FUNCTION__, sp->ks_identifier);
243#endif
244 break;
245 }
246 goto restart;
247 }
248 }
249
250 KAUTH_SCOPEUNLOCK();
251 return sp;
252}
253
254
255
256void
257kauth_deregister_scope(kauth_scope_t scope)
258{
259 int i;
260
261 KAUTH_SCOPELOCK();
262
263 TAILQ_REMOVE(&kauth_scopes, scope, ks_link);
264
265 /* relocate listeners back to the waiting list */
266 for (i = 0; i < KAUTH_SCOPE_MAX_LISTENERS; i++) {
267 if (scope->ks_listeners[i].kll_listenerp != NULL) {
268 TAILQ_INSERT_TAIL(&kauth_dangling_listeners, scope->ks_listeners[i].kll_listenerp, kl_link);
269 scope->ks_listeners[i].kll_listenerp = NULL;
270 /*
271 * XXX - kauth_todo - WARNING, do not clear kll_callback or
272 * kll_idata here. they are part of our scope unlisten race hack
273 */
274 }
275 }
276 KAUTH_SCOPEUNLOCK();
277 kheap_free(KM_KAUTH, scope, sizeof(struct kauth_scope));
278
279 return;
280}
281
282kauth_listener_t
283kauth_listen_scope(const char *identifier, kauth_scope_callback_t callback, void *idata)
284{
285 kauth_listener_t klp;
286 kauth_scope_t sp;
287
288 if ((klp = kauth_alloc_listener(identifier, callback, idata)) == NULL) {
289 return NULL;
290 }
291
292 /*
293 * Lock the scope list and check to see whether this scope already exists.
294 */
295 KAUTH_SCOPELOCK();
296 TAILQ_FOREACH(sp, &kauth_scopes, ks_link) {
297 if (strncmp(sp->ks_identifier, identifier,
298 strlen(sp->ks_identifier) + 1) == 0) {
299 /* scope exists, add it to scope listener table */
300 if (kauth_add_callback_to_scope(sp, klp) == 0) {
301 KAUTH_SCOPEUNLOCK();
302 return klp;
303 }
304 /* table already full */
305 KAUTH_SCOPEUNLOCK();
306 kheap_free(KM_KAUTH, klp, sizeof(struct kauth_listener));
307 return NULL;
308 }
309 }
310
311 /* scope doesn't exist, put on waiting list. */
312 TAILQ_INSERT_TAIL(&kauth_dangling_listeners, klp, kl_link);
313
314 KAUTH_SCOPEUNLOCK();
315
316 return klp;
317}
318
319void
320kauth_unlisten_scope(kauth_listener_t listener)
321{
322 kauth_scope_t sp;
323 kauth_listener_t klp;
324 int i, listener_count, do_free;
325
326 KAUTH_SCOPELOCK();
327
328 /* search the active scope for this listener */
329 TAILQ_FOREACH(sp, &kauth_scopes, ks_link) {
330 do_free = 0;
331 if ((sp->ks_flags & KS_F_HAS_LISTENERS) != 0) {
332 listener_count = 0;
333 for (i = 0; i < KAUTH_SCOPE_MAX_LISTENERS; i++) {
334 if (sp->ks_listeners[i].kll_listenerp == listener) {
335 sp->ks_listeners[i].kll_listenerp = NULL;
336 do_free = 1;
337 /*
338 * XXX - kauth_todo - WARNING, do not clear kll_callback or
339 * kll_idata here. they are part of our scope unlisten race hack
340 */
341 } else if (sp->ks_listeners[i].kll_listenerp != NULL) {
342 listener_count++;
343 }
344 }
345 if (do_free) {
346 if (listener_count == 0) {
347 sp->ks_flags &= ~KS_F_HAS_LISTENERS;
348 }
349 KAUTH_SCOPEUNLOCK();
350 kheap_free(KM_KAUTH, listener, sizeof(struct kauth_listener));
351 return;
352 }
353 }
354 }
355
356 /* if not active, check the dangling list */
357 TAILQ_FOREACH(klp, &kauth_dangling_listeners, kl_link) {
358 if (klp == listener) {
359 TAILQ_REMOVE(&kauth_dangling_listeners, klp, kl_link);
360 KAUTH_SCOPEUNLOCK();
361 kheap_free(KM_KAUTH, listener, sizeof(struct kauth_listener));
362 return;
363 }
364 }
365
366 KAUTH_SCOPEUNLOCK();
367 return;
368}
369
370/*
371 * Authorization requests.
372 *
373 * Returns: 0 Success
374 * EPERM Operation not permitted
375 *
376 * Imputed: *arg3, modified Callback return - depends on callback
377 * modification of *arg3, if any
378 */
379int
380kauth_authorize_action(kauth_scope_t scope, kauth_cred_t credential, kauth_action_t action,
381 uintptr_t arg0, uintptr_t arg1, uintptr_t arg2, uintptr_t arg3)
382{
383 int result, ret, i;
384
385 /* ask the scope */
386 if (scope->ks_callback != NULL) {
387 result = scope->ks_callback(credential, scope->ks_idata, action, arg0, arg1, arg2, arg3);
388 } else {
389 result = KAUTH_RESULT_DEFER;
390 }
391
392 /* check with listeners */
393 if ((scope->ks_flags & KS_F_HAS_LISTENERS) != 0) {
394 for (i = 0; i < KAUTH_SCOPE_MAX_LISTENERS; i++) {
395 /* XXX - kauth_todo - there is a race here if listener is removed - we will fix this post Tiger.
396 * Until the race is fixed our kext clients are responsible for all active requests that may
397 * be in their callbacks or on the way to their callbacks before they free kl_callback or kl_idata.
398 * We keep copies of these in our kauth_local_listener in an attempt to limit our expose to
399 * unlisten race.
400 */
401 if (scope->ks_listeners[i].kll_listenerp == NULL ||
402 scope->ks_listeners[i].kll_callback == NULL) {
403 continue;
404 }
405
406 ret = scope->ks_listeners[i].kll_callback(
407 credential, scope->ks_listeners[i].kll_idata,
408 action, arg0, arg1, arg2, arg3);
409 if ((ret == KAUTH_RESULT_DENY) ||
410 (result == KAUTH_RESULT_DEFER)) {
411 result = ret;
412 }
413 }
414 }
415
416 /* we need an explicit allow, or the auth fails */
417 /* XXX need a mechanism for auth failure to be signalled vs. denial */
418 return result == KAUTH_RESULT_ALLOW ? 0 : EPERM;
419}
420
421/*
422 * Default authorization handlers.
423 */
424int
425kauth_authorize_allow(__unused kauth_cred_t credential, __unused void *idata, __unused kauth_action_t action,
426 __unused uintptr_t arg0, __unused uintptr_t arg1, __unused uintptr_t arg2, __unused uintptr_t arg3)
427{
428 return KAUTH_RESULT_ALLOW;
429}
430
431#if 0
432/*
433 * Debugging support.
434 */
435static int
436kauth_scope_valid(kauth_scope_t scope)
437{
438 kauth_scope_t sp;
439
440 KAUTH_SCOPELOCK();
441 TAILQ_FOREACH(sp, &kauth_scopes, ks_link) {
442 if (sp == scope) {
443 break;
444 }
445 }
446 KAUTH_SCOPEUNLOCK();
447 return (sp == NULL) ? 0 : 1;
448}
449#endif
450
451/*
452 * Process authorization scope.
453 */
454
455int
456kauth_authorize_process(kauth_cred_t credential, kauth_action_t action, struct proc *process, uintptr_t arg1, uintptr_t arg2, uintptr_t arg3)
457{
458 return kauth_authorize_action(kauth_scope_process, credential, action, (uintptr_t)process, arg1, arg2, arg3);
459}
460
461static int
462kauth_authorize_process_callback(kauth_cred_t credential, __unused void *idata, kauth_action_t action,
463 uintptr_t arg0, uintptr_t arg1, __unused uintptr_t arg2, __unused uintptr_t arg3)
464{
465 switch (action) {
466 case KAUTH_PROCESS_CANSIGNAL:
467 panic("KAUTH_PROCESS_CANSIGNAL not implemented");
468 /* XXX credential wrong here */
469 /* arg0 - process to signal
470 * arg1 - signal to send the process
471 */
472 if (cansignal(current_proc(), credential, (struct proc *)arg0, (int)arg1)) {
473 return KAUTH_RESULT_ALLOW;
474 }
475 break;
476 case KAUTH_PROCESS_CANTRACE:
477 /* current_proc() - process that will do the tracing
478 * arg0 - process to be traced
479 * arg1 - pointer to int - reason (errno) for denial
480 */
481 if (cantrace(current_proc(), credential, (proc_t)arg0, (int *)arg1)) {
482 return KAUTH_RESULT_ALLOW;
483 }
484 break;
485 }
486
487 /* no explicit result, so defer to others in the chain */
488 return KAUTH_RESULT_DEFER;
489}
490
491/*
492 * File system operation authorization scope. This is really only a notification
493 * of the file system operation, not an authorization check. Thus the result is
494 * not relevant.
495 * arguments passed to KAUTH_FILEOP_OPEN listeners
496 * arg0 is pointer to vnode (vnode *) for given user path.
497 * arg1 is pointer to path (char *) passed in to open.
498 * arguments passed to KAUTH_FILEOP_CLOSE listeners
499 * arg0 is pointer to vnode (vnode *) for file to be closed.
500 * arg1 is pointer to path (char *) of file to be closed.
501 * arg2 is close flags.
502 * arguments passed to KAUTH_FILEOP_WILL_RENAME listeners
503 * arg0 is pointer to vnode (vnode *) of the file being renamed
504 * arg1 is pointer to the "from" path (char *)
505 * arg2 is pointer to the "to" path (char *)
506 * arguments passed to KAUTH_FILEOP_RENAME listeners
507 * arg0 is pointer to "from" path (char *).
508 * arg1 is pointer to "to" path (char *).
509 * arguments passed to KAUTH_FILEOP_EXCHANGE listeners
510 * arg0 is pointer to file 1 path (char *).
511 * arg1 is pointer to file 2 path (char *).
512 * arguments passed to KAUTH_FILEOP_EXEC listeners
513 * arg0 is pointer to vnode (vnode *) for executable.
514 * arg1 is pointer to path (char *) to executable.
515 */
516
517int
518kauth_authorize_fileop_has_listeners(void)
519{
520 /*
521 * return 1 if we have any listeners for the fileop scope
522 * otherwize return 0
523 */
524 if ((kauth_scope_fileop->ks_flags & KS_F_HAS_LISTENERS) != 0) {
525 return 1;
526 }
527 return 0;
528}
529
530int
531kauth_authorize_fileop(kauth_cred_t credential, kauth_action_t action, uintptr_t arg0, uintptr_t arg1)
532{
533 char *namep = NULL;
534 int name_len;
535 uintptr_t arg2 = 0;
536
537 /* we do not have a primary handler for the fileop scope so bail out if
538 * there are no listeners.
539 */
540 if ((kauth_scope_fileop->ks_flags & KS_F_HAS_LISTENERS) == 0) {
541 return 0;
542 }
543
544 if (action == KAUTH_FILEOP_OPEN ||
545 action == KAUTH_FILEOP_CLOSE ||
546 action == KAUTH_FILEOP_EXEC ||
547 action == KAUTH_FILEOP_WILL_RENAME) {
548 /* get path to the given vnode as a convenience to our listeners.
549 */
550 namep = get_pathbuff();
551 name_len = MAXPATHLEN;
552 if (vn_getpath((vnode_t)arg0, namep, &name_len) != 0) {
553 release_pathbuff(namep);
554 return 0;
555 }
556 if (action == KAUTH_FILEOP_CLOSE ||
557 action == KAUTH_FILEOP_WILL_RENAME) {
558 /*
559 * - Close has some flags that come in via arg1.
560 * - Will-rename wants to pass the vnode and
561 * both paths to the listeners ("to" path
562 * starts in arg1, moves to arg2).
563 */
564 arg2 = arg1;
565 }
566 arg1 = (uintptr_t)namep;
567 }
568 kauth_authorize_action(kauth_scope_fileop, credential, action, arg0, arg1, arg2, 0);
569
570 if (namep != NULL) {
571 release_pathbuff(namep);
572 }
573
574 return 0;
575}
576
577/*
578 * Generic authorization scope.
579 */
580
581int
582kauth_authorize_generic(kauth_cred_t credential, kauth_action_t action)
583{
584 if (credential == NULL) {
585 panic("auth against NULL credential");
586 }
587
588 return kauth_authorize_action(kauth_scope_generic, credential, action, 0, 0, 0, 0);
589}
590
591static int
592kauth_authorize_generic_callback(kauth_cred_t credential, __unused void *idata, kauth_action_t action,
593 __unused uintptr_t arg0, __unused uintptr_t arg1, __unused uintptr_t arg2, __unused uintptr_t arg3)
594{
595 switch (action) {
596 case KAUTH_GENERIC_ISSUSER:
597 /* XXX == 0 ? */
598 return (kauth_cred_getuid(credential) == 0) ?
599 KAUTH_RESULT_ALLOW : KAUTH_RESULT_DENY;
600 }
601
602 /* no explicit result, so defer to others in the chain */
603 return KAUTH_RESULT_DEFER;
604}
605
606/*
607 * ACL evaluator.
608 *
609 * Determines whether the credential has the requested rights for an object secured by the supplied
610 * ACL.
611 *
612 * Evaluation proceeds from the top down, with access denied if any ACE denies any of the requested
613 * rights, or granted if all of the requested rights are satisfied by the ACEs so far.
614 */
615int
616kauth_acl_evaluate(kauth_cred_t cred, kauth_acl_eval_t eval)
617{
618 int applies, error, i, gotguid;
619 kauth_ace_t ace;
620 guid_t guid;
621 uint32_t rights;
622 int wkguid;
623
624 /* always allowed to do nothing */
625 if (eval->ae_requested == 0) {
626 eval->ae_result = KAUTH_RESULT_ALLOW;
627 return 0;
628 }
629
630 eval->ae_residual = eval->ae_requested;
631 eval->ae_found_deny = FALSE;
632
633 /*
634 * Get our guid for comparison purposes.
635 */
636 if ((error = kauth_cred_getguid(cred, &guid)) != 0) {
637 KAUTH_DEBUG(" ACL - can't get credential GUID (%d)", error);
638 error = 0;
639 gotguid = 0;
640 } else {
641 gotguid = 1;
642 }
643
644 KAUTH_DEBUG(" ACL - %d entries, initial residual %x", eval->ae_count, eval->ae_residual);
645 for (i = 0, ace = eval->ae_acl; i < eval->ae_count; i++, ace++) {
646 /*
647 * Skip inherit-only entries.
648 */
649 if (ace->ace_flags & KAUTH_ACE_ONLY_INHERIT) {
650 continue;
651 }
652
653 /*
654 * Expand generic rights, if appropriate.
655 */
656 rights = ace->ace_rights;
657 if (rights & KAUTH_ACE_GENERIC_ALL) {
658 rights |= eval->ae_exp_gall;
659 }
660 if (rights & KAUTH_ACE_GENERIC_READ) {
661 rights |= eval->ae_exp_gread;
662 }
663 if (rights & KAUTH_ACE_GENERIC_WRITE) {
664 rights |= eval->ae_exp_gwrite;
665 }
666 if (rights & KAUTH_ACE_GENERIC_EXECUTE) {
667 rights |= eval->ae_exp_gexec;
668 }
669
670 /*
671 * Determine whether this entry applies to the current request. This
672 * saves us checking the GUID if the entry has nothing to do with what
673 * we're currently doing.
674 */
675 switch (ace->ace_flags & KAUTH_ACE_KINDMASK) {
676 case KAUTH_ACE_PERMIT:
677 if (!(eval->ae_residual & rights)) {
678 continue;
679 }
680 break;
681 case KAUTH_ACE_DENY:
682 if (!(eval->ae_requested & rights)) {
683 continue;
684 }
685 eval->ae_found_deny = TRUE;
686 break;
687 default:
688 /* we don't recognise this ACE, skip it */
689 continue;
690 }
691
692 /*
693 * Verify whether this entry applies to the credential.
694 */
695 wkguid = kauth_wellknown_guid(&ace->ace_applicable);
696 switch (wkguid) {
697 case KAUTH_WKG_OWNER:
698 applies = eval->ae_options & KAUTH_AEVAL_IS_OWNER;
699 break;
700 case KAUTH_WKG_GROUP:
701 if (!gotguid || (eval->ae_options & KAUTH_AEVAL_IN_GROUP_UNKNOWN)) {
702 applies = ((ace->ace_flags & KAUTH_ACE_KINDMASK) == KAUTH_ACE_DENY);
703 } else {
704 applies = eval->ae_options & KAUTH_AEVAL_IN_GROUP;
705 }
706 break;
707 /* we short-circuit these here rather than wasting time calling the group membership code */
708 case KAUTH_WKG_EVERYBODY:
709 applies = 1;
710 break;
711 case KAUTH_WKG_NOBODY:
712 applies = 0;
713 break;
714
715 default:
716 /* check to see whether it's exactly us, or a group we are a member of */
717 applies = !gotguid ? 0 : kauth_guid_equal(&guid, &ace->ace_applicable);
718 KAUTH_DEBUG(" ACL - ACE applicable " K_UUID_FMT " caller " K_UUID_FMT " %smatched",
719 K_UUID_ARG(ace->ace_applicable), K_UUID_ARG(guid), applies ? "" : "not ");
720
721 if (!applies) {
722 error = !gotguid ? ENOENT : kauth_cred_ismember_guid(cred, &ace->ace_applicable, &applies);
723 /*
724 * If we can't resolve group membership, we have to limit misbehaviour.
725 * If the ACE is an 'allow' ACE, assume the cred is not a member (avoid
726 * granting excess access). If the ACE is a 'deny' ACE, assume the cred
727 * is a member (avoid failing to deny).
728 */
729 if (error != 0) {
730 KAUTH_DEBUG(" ACL[%d] - can't get membership, making pessimistic assumption", i);
731 switch (ace->ace_flags & KAUTH_ACE_KINDMASK) {
732 case KAUTH_ACE_PERMIT:
733 applies = 0;
734 break;
735 case KAUTH_ACE_DENY:
736 applies = 1;
737 break;
738 }
739 } else {
740 KAUTH_DEBUG(" ACL - %s group member", applies ? "is" : "not");
741 }
742 } else {
743 KAUTH_DEBUG(" ACL - entry matches caller");
744 }
745 }
746 if (!applies) {
747 continue;
748 }
749
750 /*
751 * Apply ACE to outstanding rights.
752 */
753 switch (ace->ace_flags & KAUTH_ACE_KINDMASK) {
754 case KAUTH_ACE_PERMIT:
755 /* satisfy any rights that this ACE grants */
756 eval->ae_residual = eval->ae_residual & ~rights;
757 KAUTH_DEBUG(" ACL[%d] - rights %x leave residual %x", i, rights, eval->ae_residual);
758 /* all rights satisfied? */
759 if (eval->ae_residual == 0) {
760 eval->ae_result = KAUTH_RESULT_ALLOW;
761 return 0;
762 }
763 break;
764 case KAUTH_ACE_DENY:
765 /* deny the request if any of the requested rights is denied */
766 if (eval->ae_requested & rights) {
767 KAUTH_DEBUG(" ACL[%d] - denying based on %x", i, rights);
768 eval->ae_result = KAUTH_RESULT_DENY;
769 return 0;
770 }
771 break;
772 default:
773 KAUTH_DEBUG(" ACL - unknown entry kind %d", ace->ace_flags & KAUTH_ACE_KINDMASK);
774 break;
775 }
776 }
777 /* if not permitted, defer to other modes of authorisation */
778 eval->ae_result = KAUTH_RESULT_DEFER;
779 return 0;
780}
781
782/*
783 * Perform ACL inheritance and umask-ACL handling.
784 *
785 * Entries are inherited from the ACL on dvp. A caller-supplied
786 * ACL is in initial, and the result is output into product.
787 * If the process has a umask ACL and one is not supplied, we use
788 * the umask ACL.
789 * If isdir is set, the resultant ACL is for a directory, otherwise it is for a file.
790 */
791int
792kauth_acl_inherit(vnode_t dvp, kauth_acl_t initial, kauth_acl_t *product, int isdir, vfs_context_t ctx)
793{
794 int entries, error, index;
795 unsigned int i;
796 struct vnode_attr dva;
797 kauth_acl_t inherit, result;
798
799 /*
800 * Fetch the ACL from the directory. This should never fail.
801 * Note that we don't manage inheritance when the remote server is
802 * doing authorization, since this means server enforcement of
803 * inheritance semantics; we just want to compose the initial
804 * ACL and any inherited ACE entries from the container object.
805 *
806 * XXX TODO: <rdar://3634665> wants a "umask ACL" from the process.
807 */
808 inherit = NULL;
809 /*
810 * If there is no initial ACL, or there is, and the initial ACLs
811 * flags do not request "no inheritance", then we inherit. This allows
812 * initial object creation via open_extended() and mkdir_extended()
813 * to reject inheritance for themselves and for inferior nodes by
814 * specifying a non-NULL inital ACL which has the KAUTH_ACL_NO_INHERIT
815 * flag set in the flags field.
816 */
817 if ((initial == NULL || !(initial->acl_flags & KAUTH_ACL_NO_INHERIT)) &&
818 (dvp != NULL) && !vfs_authopaque(vnode_mount(dvp))) {
819 VATTR_INIT(&dva);
820 VATTR_WANTED(&dva, va_acl);
821 if ((error = vnode_getattr(dvp, &dva, ctx)) != 0) {
822 KAUTH_DEBUG(" ERROR - could not get parent directory ACL for inheritance");
823 return error;
824 }
825 if (VATTR_IS_SUPPORTED(&dva, va_acl)) {
826 inherit = dva.va_acl;
827 }
828 }
829
830 /*
831 * Compute the number of entries in the result ACL by scanning the
832 * input lists.
833 */
834 entries = 0;
835 if (inherit != NULL) {
836 for (i = 0; i < inherit->acl_entrycount; i++) {
837 if (inherit->acl_ace[i].ace_flags & (isdir ? KAUTH_ACE_DIRECTORY_INHERIT : KAUTH_ACE_FILE_INHERIT)) {
838 entries++;
839 }
840 }
841 }
842
843 if (initial == NULL) {
844 /*
845 * XXX 3634665 TODO: if the initial ACL is not specfied by
846 * XXX the caller, fetch the umask ACL from the process,
847 * and use it in place of "initial".
848 */
849 }
850
851 if (initial != NULL) {
852 if (initial->acl_entrycount != KAUTH_FILESEC_NOACL) {
853 entries += initial->acl_entrycount;
854 } else {
855 initial = NULL;
856 }
857 }
858
859 /*
860 * If there is no initial ACL, and no inheritable entries, the
861 * object should be created with no ACL at all.
862 * Note that this differs from the case where the initial ACL
863 * is empty, in which case the object must also have an empty ACL.
864 */
865 if ((entries == 0) && (initial == NULL)) {
866 *product = NULL;
867 error = 0;
868 goto out;
869 }
870
871 /*
872 * Allocate the result buffer.
873 */
874 if ((result = kauth_acl_alloc(entries)) == NULL) {
875 KAUTH_DEBUG(" ERROR - could not allocate %d-entry result buffer for inherited ACL", entries);
876 error = ENOMEM;
877 goto out;
878 }
879
880 /*
881 * Composition is simply:
882 * - initial direct ACEs
883 * - inherited ACEs from new parent
884 */
885 index = 0;
886 if (initial != NULL) {
887 for (i = 0; i < initial->acl_entrycount; i++) {
888 if (!(initial->acl_ace[i].ace_flags & KAUTH_ACE_INHERITED)) {
889 result->acl_ace[index++] = initial->acl_ace[i];
890 }
891 }
892 KAUTH_DEBUG(" INHERIT - applied %d of %d initial entries", index, initial->acl_entrycount);
893 }
894 if (inherit != NULL) {
895 for (i = 0; i < inherit->acl_entrycount; i++) {
896 /*
897 * Inherit onto this object? We inherit only if
898 * the target object is a container object and the
899 * KAUTH_ACE_DIRECTORY_INHERIT bit is set, OR if
900 * if the target object is not a container, and
901 * the KAUTH_ACE_FILE_INHERIT bit is set.
902 */
903 if (inherit->acl_ace[i].ace_flags & (isdir ? KAUTH_ACE_DIRECTORY_INHERIT : KAUTH_ACE_FILE_INHERIT)) {
904 result->acl_ace[index] = inherit->acl_ace[i];
905 result->acl_ace[index].ace_flags |= KAUTH_ACE_INHERITED;
906 result->acl_ace[index].ace_flags &= ~KAUTH_ACE_ONLY_INHERIT;
907 /*
908 * We do not re-inherit inheritance flags
909 * if the ACE from the container has a
910 * KAUTH_ACE_LIMIT_INHERIT, OR if the new
911 * object is not itself a container (since
912 * inheritance is always container-based).
913 */
914 if ((result->acl_ace[index].ace_flags & KAUTH_ACE_LIMIT_INHERIT) || !isdir) {
915 result->acl_ace[index].ace_flags &=
916 ~(KAUTH_ACE_INHERIT_CONTROL_FLAGS);
917 }
918 index++;
919 }
920 }
921 }
922 result->acl_entrycount = index;
923 *product = result;
924 KAUTH_DEBUG(" INHERIT - product ACL has %d entries", index);
925 error = 0;
926out:
927 if (inherit != NULL) {
928 kauth_acl_free(inherit);
929 }
930 return error;
931}
932
933/*
934 * Optimistically copy in a kauth_filesec structure
935 *
936 * Parameters: xsecurity user space kauth_filesec_t
937 * xsecdstpp pointer to kauth_filesec_t to be
938 * modified to contain the contain a
939 * pointer to an allocated copy of the
940 * user space argument
941 *
942 * Returns: 0 Success
943 * ENOMEM Insufficient memory for the copy.
944 * EINVAL The user space data was invalid, or
945 * there were too many ACE entries.
946 * EFAULT The user space address was invalid;
947 * this may mean 'fsec_entrycount' in
948 * the user copy is corrupt/incorrect.
949 *
950 * Implicit returns: xsecdestpp, modified (only if successful!)
951 *
952 * Notes: The returned kauth_filesec_t is in host byte order
953 *
954 * The caller is responsible for freeing the returned
955 * kauth_filesec_t in the success case using the function
956 * kauth_filesec_free()
957 *
958 * Our largest initial guess is 32; this needs to move to
959 * a manifest constant in <sys/kauth.h>.
960 */
961int
962kauth_copyinfilesec(user_addr_t xsecurity, kauth_filesec_t *xsecdestpp)
963{
964 int error;
965 kauth_filesec_t fsec;
966 size_t count;
967 size_t copysize;
968
969 error = 0;
970 fsec = NULL;
971
972 /*
973 * Make a guess at the size of the filesec. We start with the base
974 * pointer, and look at how much room is left on the page, clipped
975 * to a sensible upper bound. If it turns out this isn't enough,
976 * we'll size based on the actual ACL contents and come back again.
977 *
978 * The upper bound must be less than KAUTH_ACL_MAX_ENTRIES. The
979 * value here is fairly arbitrary. It's ok to have a zero count.
980 *
981 * Because we're just using these values to make a guess about the
982 * number of entries, the actual address doesn't matter, only their
983 * relative offsets into the page. We take advantage of this to
984 * avoid an overflow in the rounding step (this is a user-provided
985 * parameter, so caution pays off).
986 */
987 {
988 user_addr_t known_bound = (xsecurity & PAGE_MASK) + KAUTH_FILESEC_SIZE(0);
989 user_addr_t uaddr = (user_addr_t)mach_vm_round_page(known_bound);
990 count = (uaddr - known_bound) / sizeof(struct kauth_ace);
991 }
992 if (count > 32) {
993 count = 32;
994 }
995restart:
996 if ((fsec = kauth_filesec_alloc((int)count)) == NULL) {
997 error = ENOMEM;
998 goto out;
999 }
1000 copysize = KAUTH_FILESEC_SIZE(count);
1001 if ((error = copyin(xsecurity, (caddr_t)fsec, copysize)) != 0) {
1002 goto out;
1003 }
1004
1005 /* validate the filesec header */
1006 if (fsec->fsec_magic != KAUTH_FILESEC_MAGIC) {
1007 error = EINVAL;
1008 goto out;
1009 }
1010
1011 /*
1012 * Is there an ACL payload, and is it too big?
1013 */
1014 if ((fsec->fsec_entrycount != KAUTH_FILESEC_NOACL) &&
1015 (fsec->fsec_entrycount > count)) {
1016 if (fsec->fsec_entrycount > KAUTH_ACL_MAX_ENTRIES) {
1017 /* XXX This should be E2BIG */
1018 error = EINVAL;
1019 goto out;
1020 }
1021 count = fsec->fsec_entrycount;
1022 kauth_filesec_free(fsec);
1023 goto restart;
1024 }
1025
1026out:
1027 if (error) {
1028 if (fsec) {
1029 kauth_filesec_free(fsec);
1030 }
1031 } else {
1032 *xsecdestpp = fsec;
1033 AUDIT_ARG(opaque, fsec, copysize);
1034 }
1035 return error;
1036}
1037
1038/*
1039 * Allocate a block of memory containing a filesec structure, immediately
1040 * followed by 'count' kauth_ace structures.
1041 *
1042 * Parameters: count Number of kauth_ace structures needed
1043 *
1044 * Returns: !NULL A pointer to the allocated block
1045 * NULL Invalid 'count' or insufficient memory
1046 *
1047 * Notes: Returned memory area assumes that the structures are packed
1048 * densely, so this function may only be used by code that also
1049 * assumes no padding following structures.
1050 *
1051 * The returned structure must be freed by the caller using the
1052 * function kauth_filesec_free(), in case we decide to use an
1053 * allocation mechanism that is aware of the object size at some
1054 * point, since the object size is only available by introspecting
1055 * the object itself.
1056 */
1057kauth_filesec_t
1058kauth_filesec_alloc(int count)
1059{
1060 kauth_filesec_t fsp;
1061
1062 /* if the caller hasn't given us a valid size hint, assume the worst */
1063 if ((count < 0) || (count > KAUTH_ACL_MAX_ENTRIES)) {
1064 return NULL;
1065 }
1066
1067 fsp = kheap_alloc(KM_KAUTH, KAUTH_FILESEC_SIZE(count), Z_WAITOK);
1068 if (fsp != NULL) {
1069 fsp->fsec_magic = KAUTH_FILESEC_MAGIC;
1070 fsp->fsec_owner = kauth_null_guid;
1071 fsp->fsec_group = kauth_null_guid;
1072 fsp->fsec_entrycount = KAUTH_FILESEC_NOACL;
1073 fsp->fsec_flags = 0;
1074 }
1075 return fsp;
1076}
1077
1078/*
1079 * Free a kauth_filesec_t that was previous allocated, either by a direct
1080 * call to kauth_filesec_alloc() or by calling a function that calls it.
1081 *
1082 * Parameters: fsp kauth_filesec_t to free
1083 *
1084 * Returns: (void)
1085 *
1086 * Notes: The kauth_filesec_t to be freed is assumed to be in host
1087 * byte order so that this function can introspect it in the
1088 * future to determine its size, if necesssary.
1089 */
1090void
1091kauth_filesec_free(kauth_filesec_t fsp)
1092{
1093#ifdef KAUTH_DEBUG_ENABLE
1094 if (fsp == KAUTH_FILESEC_NONE) {
1095 panic("freeing KAUTH_FILESEC_NONE");
1096 }
1097 if (fsp == KAUTH_FILESEC_WANTED) {
1098 panic("freeing KAUTH_FILESEC_WANTED");
1099 }
1100#endif
1101 kheap_free_addr(KM_KAUTH, fsp);
1102}
1103
1104/*
1105 * Set the endianness of a filesec and an ACL; if 'acl' is NULL, use the
1106 * ACL interior to 'fsec' instead. If the endianness doesn't change, then
1107 * this function will have no effect.
1108 *
1109 * Parameters: kendian The endianness to set; this is either
1110 * KAUTH_ENDIAN_HOST or KAUTH_ENDIAN_DISK.
1111 * fsec The filesec to convert.
1112 * acl The ACL to convert (optional)
1113 *
1114 * Returns: (void)
1115 *
1116 * Notes: We use ntohl() because it has a transitive property on Intel
1117 * machines and no effect on PPC mancines. This guarantees us
1118 * that the swapping only occurs if the endiannes is wrong.
1119 */
1120void
1121kauth_filesec_acl_setendian(int kendian, kauth_filesec_t fsec, kauth_acl_t acl)
1122{
1123 uint32_t compare_magic = KAUTH_FILESEC_MAGIC;
1124 uint32_t invert_magic = ntohl(KAUTH_FILESEC_MAGIC);
1125 uint32_t compare_acl_entrycount;
1126 uint32_t i;
1127
1128 if (compare_magic == invert_magic) {
1129 return;
1130 }
1131
1132 /* If no ACL, use ACL interior to 'fsec' instead */
1133 if (acl == NULL) {
1134 acl = &fsec->fsec_acl;
1135 }
1136
1137 compare_acl_entrycount = acl->acl_entrycount;
1138
1139 /*
1140 * Only convert what needs to be converted, and only if the arguments
1141 * are valid. The following switch and tests effectively reject
1142 * conversions on invalid magic numbers as a desirable side effect.
1143 */
1144 switch (kendian) {
1145 case KAUTH_ENDIAN_HOST: /* not in host, convert to host */
1146 if (fsec->fsec_magic != invert_magic) {
1147 return;
1148 }
1149 /* acl_entrycount is byteswapped */
1150 compare_acl_entrycount = ntohl(acl->acl_entrycount);
1151 break;
1152 case KAUTH_ENDIAN_DISK: /* not in disk, convert to disk */
1153 if (fsec->fsec_magic != compare_magic) {
1154 return;
1155 }
1156 break;
1157 default: /* bad argument */
1158 return;
1159 }
1160
1161 /* We are go for conversion */
1162 fsec->fsec_magic = ntohl(fsec->fsec_magic);
1163 acl->acl_entrycount = ntohl(acl->acl_entrycount);
1164 if (compare_acl_entrycount != KAUTH_FILESEC_NOACL) {
1165 acl->acl_flags = ntohl(acl->acl_flags);
1166
1167 /* swap ACE rights and flags */
1168 for (i = 0; i < compare_acl_entrycount; i++) {
1169 acl->acl_ace[i].ace_flags = ntohl(acl->acl_ace[i].ace_flags);
1170 acl->acl_ace[i].ace_rights = ntohl(acl->acl_ace[i].ace_rights);
1171 }
1172 }
1173}
1174
1175
1176/*
1177 * Allocate an ACL buffer.
1178 */
1179kauth_acl_t
1180kauth_acl_alloc(int count)
1181{
1182 kauth_acl_t aclp;
1183
1184 /* if the caller hasn't given us a valid size hint, assume the worst */
1185 if ((count < 0) || (count > KAUTH_ACL_MAX_ENTRIES)) {
1186 return NULL;
1187 }
1188
1189 aclp = kheap_alloc(KM_KAUTH, KAUTH_ACL_SIZE(count), Z_WAITOK);
1190 if (aclp != NULL) {
1191 aclp->acl_entrycount = 0;
1192 aclp->acl_flags = 0;
1193 }
1194 return aclp;
1195}
1196
1197void
1198kauth_acl_free(kauth_acl_t aclp)
1199{
1200 /*
1201 * It's possible this may have have been allocated in a kext using
1202 * MALLOC. Using KHEAP_ANY will allow us to free it here.
1203 */
1204 kheap_free_addr(KHEAP_ANY, aclp);
1205}
1206
1207
1208/*
1209 * WARNING - caller must hold KAUTH_SCOPELOCK
1210 */
1211static int
1212kauth_add_callback_to_scope(kauth_scope_t sp, kauth_listener_t klp)
1213{
1214 int i;
1215
1216 for (i = 0; i < KAUTH_SCOPE_MAX_LISTENERS; i++) {
1217 if (sp->ks_listeners[i].kll_listenerp == NULL) {
1218 sp->ks_listeners[i].kll_callback = klp->kl_callback;
1219 sp->ks_listeners[i].kll_idata = klp->kl_idata;
1220 sp->ks_listeners[i].kll_listenerp = klp;
1221 sp->ks_flags |= KS_F_HAS_LISTENERS;
1222 return 0;
1223 }
1224 }
1225 return ENOSPC;
1226}
mirror of XNU